Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions config/_default/menus/main.en.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -8041,6 +8041,11 @@ menu:
url: /security/code_security/dev_tool_int/mcp_server/
parent: dev_tool_int
weight: 5
- name: SCFW GitHub Action

@drichards-87 drichards-87 Jul 13, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we move the new left nav entry for the SCFW GitHub Action doc so it appears below line 8058, after the Troubleshooting topic nested under MCP Server in the left nav? The ordering works as far as how it renders on the docs site, but for maintainability, it would be better if the menu items match the order shown in the left nav.

identifier: dev_tool_int_scfw_github_action
url: /security/code_security/dev_tool_int/scfw_github_action/
parent: dev_tool_int
weight: 5

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
weight: 5
weight: 6

- name: Tools Reference
identifier: dev_tool_int_mcp_server_tools_reference
url: /security/code_security/dev_tool_int/mcp_server/tools_reference/
Expand Down
6 changes: 3 additions & 3 deletions content/en/security/code_security/_index.md
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@ Code Security scans your first-party code and open source libraries used in your
- [Runtime Code Analysis (IAST)][3] for identifying vulnerabilities in the first-party code within your services
- [Secret Scanning][8] for identifying and validating leaked secrets
- [Infrastructure as Code (IaC) Security][10] for identifying security misconfigurations in IaC stored in your repositories
- [Supply Chain Security](#supply-chain-security-preview) for preventing malicious packages from entering your development environment and code repositories
- [Supply Chain Security](#supply-chain-security-preview) for preventing malicious packages from entering your development environment and code repositories

Code Security helps teams implement DevSecOps throughout the organization:
- **Developers:** early vulnerability detection, code quality improvements, faster development as developers spend less time debugging and patching.
Expand Down Expand Up @@ -106,12 +106,11 @@ With [Cloud Security Management (CSM)][18], you can see misconfigurations in IaC
Use this form to submit your request to join the Supply Chain Security Preview.
{{< /callout >}}


Supply Chain Security prevents malicious open source packages from entering your development environments at the point of installation, before they reach your repositories or CI/CD pipelines.

Unlike SCA, which scans dependencies already in your codebase, the Datadog Supply Chain Firewall (SCFW) intercepts package manager commands (`npm`, `pip`, `poetry`) in real time and blocks malicious or recently published packages before they are installed.

Supply Chain Security evaluates every package install against Datadog's malicious package feed (powered by GuardDog), known vulnerability advisories, and configurable recency thresholds. When it flags a package, it blocks installation immediately with a clear, actionable message (on both developer laptops and CI runners).
Supply Chain Security evaluates every package install against Datadog's malicious package feed (powered by [GuardDog](https://github.com/DataDog/guarddog)), known vulnerability advisories, and configurable recency thresholds. SCFW immediately blocks installation of flagged packages with a clear, actionable message on both developer laptops and [CI runners][20].

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Supply Chain Security evaluates every package install against Datadog's malicious package feed (powered by [GuardDog](https://github.com/DataDog/guarddog)), known vulnerability advisories, and configurable recency thresholds. SCFW immediately blocks installation of flagged packages with a clear, actionable message on both developer laptops and [CI runners][20].
Supply Chain Security evaluates every package install against Datadog's malicious package feed (powered by [GuardDog][21]), known vulnerability advisories, and configurable recency thresholds. If a package matches one of these checks, SCFW immediately blocks the installation and displays a clear, actionable message on developer laptops and [CI runners][20].


In addition to protecting individual developer machines or CI pipelines, SCFW provides event observability to search, filter, and audit ALLOW, WARN, and BLOCK events across developer machines and CI systems in a unified event feed.

Expand Down Expand Up @@ -140,3 +139,4 @@ The [Code Security MCP Server][19] is a local Model Context Protocol (MCP) serve
[17]: /security/code_security/iac_security/setup/?tab=github
[18]: /security/cloud_security_management/
[19]: /security/code_security/dev_tool_int/mcp_server/
[20]: /security/code_security/dev_tool_int/scfw_github_action/

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
[20]: /security/code_security/dev_tool_int/scfw_github_action/
[20]: /security/code_security/dev_tool_int/scfw_github_action/
[21]: https://github.com/DataDog/guarddog

Original file line number Diff line number Diff line change
@@ -0,0 +1,106 @@
---
title: Supply Chain Firewall GitHub Action
description: Keep malicious packages out of your CI/CD runners with Datadog's GitHub Action for Supply Chain Firewall.
is_beta: true
disable_toc: false
further_reading:
- link: "https://securitylabs.datadoghq.com/articles/introducing-supply-chain-firewall/"
tag: "Blog"
text: "Introducing Supply-Chain Firewall: Protecting Developers from Malicious Open Source Packages"
- link: "/security/code_security/#supply-chain-security-preview"
tag: "Documentation"
text: "Supply Chain Security"
---

The Supply Chain Firewall GitHub Action installs Datadog's [Supply Chain Firewall](https://github.com/DataDog/supply-chain-firewall) (SCFW) and configures it to transparently intercept supported package manager commands for all subsequent steps in a workflow. When active, any command for a supported package manager is inspected with SCFW before being allowed to run.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
The Supply Chain Firewall GitHub Action installs Datadog's [Supply Chain Firewall](https://github.com/DataDog/supply-chain-firewall) (SCFW) and configures it to transparently intercept supported package manager commands for all subsequent steps in a workflow. When active, any command for a supported package manager is inspected with SCFW before being allowed to run.
The Supply Chain Firewall GitHub Action installs Datadog's [Supply Chain Firewall][1] (SCFW) and configures it to intercept supported package manager commands in all subsequent workflow steps. When active, SCFW inspects each supported package manager command before allowing it to run.


This action supports Linux and macOS runners. Windows runners are not supported, as SCFW itself does not support Windows.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
This action supports Linux and macOS runners. Windows runners are not supported, as SCFW itself does not support Windows.
<div class="alert alert-info">This action supports Linux and macOS runners only.</div>


## Usage

```yaml
steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0

- uses: DataDog/supply-chain-firewall-action@2f166ae1d2c34ed717d7b08427c7acb57804f3f5 # v1.0.0
with:
version: '3.1.0'
Comment thread
ikretz marked this conversation as resolved.
package-managers: npm,pip

# npm and pip commands are now transparently intercepted by SCFW.
# Malicious packages are blocked; clean installs proceed normally.
Comment on lines +30 to +31

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
# npm and pip commands are now transparently intercepted by SCFW.
# Malicious packages are blocked; clean installs proceed normally.
# npm and pip commands are inspected by SCFW before they run.
# Flagged packages are blocked; other installs proceed normally.

- run: pip install -r requirements.txt
- run: npm install
```

### With Supply Chain Security integration

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
### With Supply Chain Security integration
### Configure the Supply Chain Security integration


{{< callout url=https://docs.google.com/forms/d/1Xqh5h1n3-jC7au2t30fdTq732dkTJqt_cb7C7T-AkPc/viewform?edit_requested=true
btn_hidden="false" header="Join the Preview!">}}
Use this form to submit your request to join the Supply Chain Security Preview.
{{< /callout >}}

```yaml
steps:
- uses: DataDog/supply-chain-firewall-action@2f166ae1d2c34ed717d7b08427c7acb57804f3f5 # v1.0.0
with:
dd-codesec-logger: 'true'
dd-api-key: ${{ secrets.DD_API_KEY }}
dd-app-key: ${{ secrets.DD_APP_KEY }}
dd-site: datadoghq.eu

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
dd-site: datadoghq.eu
dd-site: {{< region-param key="dd_site" >}}

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I recommend using the region-param shortcode as it renders the value based on the reader's selected site region, so the example stays correct for every region rather than showing EU to everyone.

```

### With a cached `SCFW_HOME` directory

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
### With a cached `SCFW_HOME` directory
### Cache the `SCFW_HOME` directory


Caching `SCFW_HOME` avoids re-fetching verifier data on each run:

```yaml
steps:
- uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0
with:
path: ~/.scfw
key: scfw-${{ runner.os }}

- uses: DataDog/supply-chain-firewall-action@2f166ae1d2c34ed717d7b08427c7acb57804f3f5 # v1.0.0
with:
scfw-home: ~/.scfw
```

## How it works

1. **Install**: The Supply Chain Firewall CLI is installed with `pipx` into an isolated Python environment so it does not interfere with the project's own dependencies.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
1. **Install**: The Supply Chain Firewall CLI is installed with `pipx` into an isolated Python environment so it does not interfere with the project's own dependencies.
1. **Install**: The Supply Chain Firewall CLI is installed with `pipx` in an isolated Python environment so it does not interfere with the project's dependencies.


2. **Wrap**: For each requested package manager, the action writes a thin wrapper script into a temporary directory and prepends that directory to `PATH`. All subsequent steps that invoke those package managers automatically go through Supply Chain Firewall.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
2. **Wrap**: For each requested package manager, the action writes a thin wrapper script into a temporary directory and prepends that directory to `PATH`. All subsequent steps that invoke those package managers automatically go through Supply Chain Firewall.
2. **Wrap**: For each requested package manager, the action writes a thin wrapper script to a temporary directory and prepends that directory to `PATH`. All subsequent steps that invoke those package managers are automatically routed through Supply Chain Firewall.


Each wrapper resolves the real binary at call time by removing its own directory from `PATH` before searching, then passes the resolved path to `scfw run --executable`. This helps ensure Supply Chain Firewall always calls the real binary and never re-invokes the wrapper.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Each wrapper resolves the real binary at call time by removing its own directory from `PATH` before searching, then passes the resolved path to `scfw run --executable`. This helps ensure Supply Chain Firewall always calls the real binary and never re-invokes the wrapper.
Each wrapper resolves the real binary at call time by removing its own directory from `PATH` before searching for the binary, then passes the resolved path to `scfw run --executable`. This helps ensure that Supply Chain Firewall calls the real binary and does not re-invoke the wrapper.


Activating a Python virtual environment (e.g., `source .venv/bin/activate`) shadows the Supply Chain Firewall wrappers for the remainder of that step. Use `scfw run pip install ...` explicitly for any commands run inside virtual environments.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Activating a Python virtual environment (e.g., `source .venv/bin/activate`) shadows the Supply Chain Firewall wrappers for the remainder of that step. Use `scfw run pip install ...` explicitly for any commands run inside virtual environments.
Activating a Python virtual environment, such as with `source .venv/bin/activate`, takes precedence over the Supply Chain Firewall wrappers for the remainder of that step. Use `scfw run pip install ...` explicitly for any commands that run inside virtual environments.


3. **Configure**: Relevant environment variables (`DD_API_KEY`, `SCFW_HOME`, etc.) are written to `GITHUB_ENV` so they are available to all subsequent steps.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
3. **Configure**: Relevant environment variables (`DD_API_KEY`, `SCFW_HOME`, etc.) are written to `GITHUB_ENV` so they are available to all subsequent steps.
3. **Configure**: Relevant environment variables, such as `DD_API_KEY` and `SCFW_HOME`, are written to `GITHUB_ENV` so they are available to subsequent steps.


Environment variables written to `GITHUB_ENV` are accessible to all subsequent steps in the job, including any third-party actions that run after this one. If you supply `dd-api-key` or `dd-app-key`, audit the actions that follow in your workflow for suspicious behavior or signs of compromise.

## Inputs

| Input | Description | Default |
|-------|-------------|---------|
| `version` | The version of SCFW to install. Use `"latest"` or pin to a specific release (e.g., `"3.1.0"`). | `latest` |

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
| `version` | The version of SCFW to install. Use `"latest"` or pin to a specific release (e.g., `"3.1.0"`). | `latest` |
| `version` | The version of SCFW to install. Use `"latest"` or pin to a specific release (for example, `"3.1.0"`). | `latest` |

| `package-managers` | Comma-separated list of package managers to intercept. Supported: `npm`, `pip`, `poetry`. | `npm,pip,poetry` |
| `error-on-block` | Exit with a non-zero code when an installation is blocked, failing the workflow step. | `true` |

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
| `error-on-block` | Exit with a non-zero code when an installation is blocked, failing the workflow step. | `true` |
| `error-on-block` | Fail the workflow step with a non-zero exit code when an installation is blocked. | `true` |

| `dd-api-key` | Datadog API key for forwarding firewall events to the Datadog HTTP or Code Security API. Use `${{ secrets.DD_API_KEY }}`. | — |
| `dd-app-key` | Datadog application key for forwarding firewall events to the Datadog Code Security API. Use `${{ secrets.DD_APP_KEY }}`. | — |
| `dd-api-logger` | When `"true"`, enables SCFW's Datadog HTTP API logger. Requires `dd-api-key`. | `false` |
| `dd-codesec-logger` | When `"true"`, enables SCFW's Datadog Code Security logger. Requires `dd-api-key` and `dd-app-key`. | `false` |
| `dd-site` | Datadog site (e.g., `datadoghq.com`, `datadoghq.eu`, `us3.datadoghq.com`). Used by both `dd-api-logger` and `dd-codesec-logger`. | `datadoghq.com` |

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
| `dd-site` | Datadog site (e.g., `datadoghq.com`, `datadoghq.eu`, `us3.datadoghq.com`). Used by both `dd-api-logger` and `dd-codesec-logger`. | `datadoghq.com` |
| `dd-site` | Your Datadog site ({{< region-param key="dd_site" code="true" >}}). Used by both `dd-api-logger` and `dd-codesec-logger`. | `datadoghq.com` |

| `dd-log-level` | Controls which firewall events are forwarded to Datadog. `ALLOW` logs all events; `BLOCK` logs only blocked events. | `ALLOW` |
| `scfw-home` | Directory for SCFW's local cache. Point this at a cached directory to speed up verifier data fetches across runs. | — |
| `on-warning` | Action that SCFW should take on warning-level findings: `ALLOW` or `BLOCK`. Defaults to `BLOCK` in non-interactive environments. | — |
| `package-minimum-age` | Minimum age in hours a package must have before installation is allowed. | `24` |

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
| `package-minimum-age` | Minimum age in hours a package must have before installation is allowed. | `24` |
| `package-minimum-age` | Minimum age, in hours, that a package version must reach before installation is allowed. | `24` |

| `dd-env` | Datadog environment tag attached to all forwarded firewall events. | `ci` |
| `dd-log-attributes` | A JSON object of custom attributes to attach to all forwarded Datadog log events (e.g., `'{"team":"security"}'`). | — |

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
| `dd-log-attributes` | A JSON object of custom attributes to attach to all forwarded Datadog log events (e.g., `'{"team":"security"}'`). ||
| `dd-log-attributes` | A JSON object of custom attributes to attach to all forwarded Datadog log events (for example, `'{"team":"security"}'`). ||


## Outputs

| Output | Description |
|--------|-------------|
| `scfw-version` | The installed version of Supply Chain Firewall. |

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
| `scfw-version` | The installed version of Supply Chain Firewall. |
| `scfw-version` | The installed version of Supply Chain Firewall. |
## Further reading
{{< partial name="whats-next/whats-next.html" >}}
[1]: https://github.com/DataDog/supply-chain-firewall

Loading